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Abstract. We argue that verification of recursive programs by means of the as- 
sertional method of C A.R. Hoare can be conceptually simplified using a modular 
reasoning. In this approach some properties of the program are established first 
and subsequently used to establish other program properties. We illustrate this 
approach by providing a modular correctness proof of the Quicksort program. 

1 Introduction 

Program verification by means of the assertional method of Hoare (so-called Hoare's 
logic) is by now well-understood. One of its drawbacks is that it calls for a tedious 
manipulation of assertions, which is error prone. The support offered by the available 
by interactive proof checkers, such as PVS (Prototype Verification System), see fl5l . is 
very limited. 

One way to reduce the complexity of an assertional correctness proof is by organiz- 
ing it into a series of simpler proofs. For example, to prove {p} S {qi A q2} we could 
establish {p} S {q\} and {p} S {92} separately (and independently). Such an obvious 
approach is clearly of very limited use. 

In this paper we propose a different approach that is appropriate for recursive pro- 
grams. In this approach a simpler property, say {pi} S {qi}, is established first and 
then used in the proof of another property, say {^2} S {92}- This allows us to establish 
{pi A P2] S {qi A 52} in a modular way. It is obvious how to generalize this approach 
to an arbitrary sequence of program properties for which the earlier properties are used 
in the proofs of the latter ones. So, in contrast to the simplistic approach mentioned 
above, the proofs of the program properties are not independent but are arranged in- 
stead into an acyclic directed graph. 

We illustrate this approach by providing a modular correctness proof of the Quick- 
sort program due to [ 10 1 . This yields a correctness proof that is better structured and 
conceptually easier to understand than the original one, given in Q. A minor point 
is that we use different proof rules concerning procedure calls and also provide an 
assertional proof of termination of the program, a property not considered in Q. (It 
should be noted that termination of recursive procedures with parameters within the 
framework of the assertional method was considered only in the eighties, see, e.g., 0. 
In these proofs some subtleties arise that necessitate a careful exposition, see |fl~).) 

We should mention here two other references concerning formal verification of the 
Quicksort program. In |6| the proof of Quicksort is certified using the interactive 



theorem prover Coq, while in |[T3l a correctness proof of a non-recursive version of 
Quicksort is given. 

The paper is organized as follows. In the next section we introduce a small pro- 
gramming language that involves recursive procedures with parameters called by value 
and discuss its operational semantics. Then, in Section|3]we introduce a proof system 
for proving partial and total correctness of these programs. The presentation in these 
two sections is pretty standard except for the treatment of the call-by-value parameter 
mechanism that avoids the use of substitution. 

Next, in Section|4]we discuss how the correctness proofs, both of partial and of total 
correctness, can be structured in a modular way. In Section[5]we illustrate this approach 
by proving correctness of the Quicksort program while in Section|6]we discuss related 
work and draw some conclusions. Finally, in the appendix we list the used axioms and 
proof rules concerned with non-recursive programs. The soundness of the considered 
proof systems is rigorously established in Q using the operational semantics of II 1 61 1 71 . 

2 A small programming language 

Syntax 

We use simple variables and array variables. Simple variables are of a basic type (for 
example integer or Boolean), while array variables are of a higher type (for example 
integer x Boolean — » integer). A subscripted variable derived from an array variable 
a of type T\ x . . . x T n — > T is an expression of the form a[tx, ■ ■ ., t n ], where each 
expression is of type Tj. 

In this section we introduce a class of recursive programs as an extension of the 
class of while programs which are generated by the following grammar: 

S ::= skip | u := t \ x := t \ Si; S 2 | if B then Si else S 2 A | while B do Si od, 

where S stands for a typical statement or program, u for a simple or subscripted vari- 
able, t for an expression (of the same type as u), and B for a Boolean expression. 
Further, x := i is a parallel assignment, with x — xi, . . . ,x n a non-empty list of 
distinct simple variables and t = ti, . . . ,t n a list of expressions of the correspond- 
ing types. The parallel assignment plays a crucial role in our modelling of the pa- 
rameter passing. We do not discuss the types and only assume that the set of basic 
types includes at least the types integer and Boolean. As an abbreviation we introduce 
if B then S fi = if B then S else skip fl. 

Given an expression t, we denote by var{t) the set of all simple and array variables 
that appear in t. Analogously, given a program S, we denote by var(S) the set of all 
simple and array variables that appear in S, and by change(S) the set of all simple and 
array variables that can be modified by S, i.e., the set of variables that appear on the 
left-hand side of an assignment in S. 

We arrive at recursive programs by adding recursive procedures with call-by-value 
parameters. To distinguish between local and global variables, we first introduce a block 
statement by the grammar rule 



S ::= begin local x :— t; Si end. 



A block statement introduces a non-empty sequence x of simple local variables, all of 
which are explicitly initialized by means of a parallel assignment x := i, and provides 
an explicit scope for these simple local variables. The precise explanation of a scope is 
more complicated because the block statements can be nested. 

Assuming x = x\, . . .,Xk and i — t\, . . ., tk, each occurrence of a local variable 
Xi within the statement Si and not within another block statement that is a subprogram 
of Si refers to the same variable. Each such variable Xi is initialized to the expression 
ti by means of the parallel assignment x := t. Further, given a statement S' such that 
begin local x := t; Si end is a subprogram of S', all occurrences of Xi in S' outside 
this block statement refer to some other variable(s). 

Procedure calls with parameters are introduced by the grammar rule 

S ::= P(ti, . . . , t n ), 

where P is a procedure identifier and ti,...,t n , with n > 0, are expressions called 
actual parameters. The statement P(ti , . . . , t n ) is called a procedure call. The resulting 
class of programs is then called recursive programs. 
Procedures are defined by declarations of the form 

P(m, . . .,u n ) :: S, 

where m, . . . , u n are distinct simple variables, called formal parameters of the proce- 
dure P and S is the body of the procedure P. 

We assume a given set of procedure declarations D such that each procedure that 
appears in D has a unique declaration in D. When considering recursive programs we 
assume that all procedures whose calls appear in the considered recursive programs are 
declared in D. Additionally, we assume that the procedure calls are well-typed, which 
means that the numbers of formal and actual parameters agree and that for each param- 
eter position the types of the corresponding actual and formal parameters coincide. 

Given a recursive program S, we call a variable Xi local if it appears within a sub- 
program of D or S of the form begin local x :— i; Si end with x — xi, . . .,Xk, and 
global otherwise. 

To avoid possible name clashes between local and global variables we assume that 
given a set of procedure declarations D and a recursive program S, no local variable of 
S occurs in D. So given the procedure declaration 

P :: if x = 1 then b := true else b := false fl 

the program 

S = begin local x := l;P end 

is not allowed. If it were, the semantics we are about to introduce would allow us to 
conclude that {x = 0} S {b} holds. However, the customary semantics of the programs 
in the presence of procedures prescribes that in this case {x — 0} S {->&} should hold, 
as the meaning of a program should not depend on the choice of the names of its local 
variables. (This is a consequence of the so-called static scope of the variables that we 
assume here.) 



This problem is trivially solved by just renaming the 'offensive' local variables to 
avoid name clashes, so by considering here the program begin local y := 1; P end in- 
stead of S. Once we limit ourselves to recursive programs no local variable of which 
occurs in the considered set of procedure declarations, the semantics we introduce en- 
sures that the names of local variables indeed do not matter. More precisely, the pro- 
grams that only differ in the choice of the names of local variables and obey the above 
syntactic restriction have then identical meaning. In what follows, when considering 
a recursive program S in the context of a set of procedure declarations D we always 
implicitly assume that the above syntactic restriction is satisfied. 

The local and global variables play an analogous role to the bound and free variables 
in first-order formulas or in A-terms. In fact, the above syntactic restriction corresponds 
to the 'Variable Convention' of |0] page 26] according to which "all bound variables 
are chosen to be different from the free variables." 

Note that the above definition of programs puts no restrictions on the actual param- 
eters in procedure calls; in particular they can be formal parameters or global variables. 

Semantics 

For recursive programs we use a structural operational semantics in the sense of Plotkin 
ifTTl . As usual, it is defined in terms of transitions between configurations. A configu- 
ration C is a pair < S, a > consisting a statement S that is to be executed and a state 
a that assigns a value to each variable (including local variables). A transition is writ- 
ten as a step C — > C between configurations. To express termination we use the empty 
statement E; a configuration < E, a > denotes termination in the state a. 

Transitions are specified by the transition axioms and rules which are defined in the 
context of a set D of procedure declarations. The only transition axioms that are some- 
what non-standard are the ones that deal with the block statement and the procedure 
calls, in that they avoid the use of substitution thanks to the use of parallel assignment: 

< begin local x :— i; S end, a > — » < x := t; S; x := cr(x), a >, 

< P(t); R,a> — > < begin local u :— t;S end; R, a >, 
where P(u) :: S G D. 

The first axiom ensures that the local variables are initialized as prescribed by the 
parallel assignment and that upon termination the global variables whose names coin- 
cide with the local variables are restored to their initial values, held at the beginning of 
the block statement. This is a way of implicitly modeling a stack discipline for (nested) 
blocks. So the use of the block statement in the second transition axiom ensures that 
prior to the execution of the procedure body the formal parameters are simultaneously 
instantiated to the actual parameters and that upon termination of a procedure call the 
formal parameters are restored to their initial values. Additionally, the block statement 
limits the scope of the formal parameters so that they are not accessible upon termina- 
tion of the procedure call. So the second transition axiom describes the call-by-value 
parameter mechanism. 



Based on the transition relation — * we consider two variants of input/output seman- 
tics for recursive programs S refering to the set £ of states er, r. The partial correctness 
semantics is a mapping A^[5] : £ — » V{£) defined by 

M{S\{<j) = {t \< S> > -►♦ < E,t>}. 

The total correctness semantics is a mapping Mtot \S\ ■ £ — > V{£ U {^}) defined by 

M t ot{S]{a) = M[S\(a) U {± | S can diverge from er}. 

Here !_ is an error state signalling divergence, i.e., an infinite sequence of transitions 
starting in the configuration < S, a >. 

3 Proof systems for partial and total correctness 

Program correctness is expressed by correctness formulas of the form {p} S {q}, where 
S is a program and p and q are assertions. The assertion p is the precondition of the 
correctness formula and q is the postcondition. A correctness formula {p} S {q} is 
true in the sense of partial correctness if every terminating computation of S that starts 
in a state satisfying p terminates in a state satisfying q. And {p} S {q} is true in the 
sense of total correctness if every computation of S that starts in a state satisfying p 
terminates and its final state satisfies q. Thus in the case of partial correctness, diverging 
computations of S are not taken into account. 

Using the semantics A4 and M-tot, we formalize these two interpretations of cor- 
rectness formulas uniformly as set theoretic inclusions as follows (cf. O). For an as- 
sertion p let [p] denote the set of states satisfying p. Then we define: 

(i) The correctness formula {p} S {q} is true in the sense of partial correctness, ab- 
breviatedby |= {p} S {q}, if M[S\([p]) C[ q J. 

(ii) The correctness formula {p} S {q} is true in the sense of total correctness, abbre- 
viatedby ^ tot {p} S {q}, if M tot [S]([p]) C [q]. 

Since by definition _L ^ [q], part (ii) indeed formalizes the above intuition about total 
correctness. 

Partial Correctness 

Partial correctness of while programs is proven using the customary proof system PD 
consisting of the group of axioms and rules [T]-[7] shown in the appendix. Consider now 
partial correctness of recursive programs. First, we introduce the following rule that 
deals with the block statement. 

BLOCK 

M x:=t;S {q} 

{p} begin local x := t;S end {q} 

where var(x) n free(q) = 0. 



By free(q) we denote here the set of all free simple and array variables that have a 
free occurrence in the assertion q. 

The main issue is how to deal with the procedure calls. To this end, we want to adjust 
the proofs of 'generic' procedure calls to arbitrary ones. The definition of a generic call 
and the conditions for the correctness of such an adjustment process refer to the assumed 
set of procedure declarations D. By a generic call of a procedure P we mean a call of 
the form P{x), where x is a sequence of fresh (w.r.t. D) variables. 

First, we extend the definition of change(S) to recursive programs and sets of pro- 
cedure declarations as follows: 

change(begin local x := t;S end) = change(S) \ {x}, 
change(P(u) :: S) = change(S) \ {u}, 

change({P(u) :: S} U D) = change(P(u) :: S) U change(D) , 
change{P(i)) = 0. 

The adjustment of the generic procedure calls is then taken care of by the following 
proof rule that refers to the set of procedure declarations D: 

INSTANTIATION 

M P(x) {q} 
{p[x:=i\}P(t){q[x:=t\} 

where var(x) n var(D) = varit) n change(D) = and P(u) :: S S D for some S. 

In the following rule for recursive procedures with parameters we use the provability 
symbol h to refer to the proof system PD augmented with the auxiliary axiom and rules 
IAlHA6l defined in the appendix and the above two proof rules. 

RECURSION 

{pi} Pi(xx) {qi}, {p n } Pn(x n ) {<?«} h M S {q} , 

{pi} Pl(xi) {qi}, {p n } Pn(x n ) {<?«} h 

{p t } begin local := x. t ; Si end {q t }, i G {1, . . ., n} 

{p}S{q} 

where D = P 1 (f2 1 ) :: Si, ■ ■ ■ ,P n (u n ) :: S n and var(xi) n var(D) — for i G 
{l,...,n}. 

The intuition behind this rule is as follows. Say that a program S is (p, q)-correct if 
{p} S {q} holds in the sense of partial correctness. The second premise of the rule states 
that we can establish from the assumption of the (pi, qi) -correctness of the 'generic' 
procedure calls Pi(xi) for i G {1, . . . , n}, the (pi, (^-correctness of the procedure bod- 
ies Si for i G {1, . . . , n}, which are adjusted as in the transition axiom that deals with 
the procedure calls. Then we can prove the (pi, ^-correctness of the procedure calls 
Pi(xi) unconditionally, and thanks to the first premise establish the (p, (j)-correctness 
of the recursive program S. 

To prove partial correctness of recursive programs with parameters we use the proof 
system PR that is obtained by extending the proof system PD by the block rule, the 
instantiation rule, the recursion rule, and the auxiliary axiom and rules lA114A6l 



Note that when we deal only with one recursive procedure and use the procedure 
call as the considered recursive program, this rule simplifies to 



{p} P(x) {q} h {p} begin local u := x;S end {q} 

{p} W) m 

where D = P(u) :: S and var(x) PI var(D) = 0. 
Total Correctness 

Total correctness of while programs is proven using the proof system TD consisting of 
the group of axioms and rules [T}j5j|7] and[8]shown in the appendix. For total correctness 
of recursive programs we need a modification of the recursion rule. The provability 
symbol h refers now to the proof system TD augmented with the auxiliary rules IA21 - 
IA61 the block rule and the instantiation rule. The proof rule is a minor variation of a 
rule originally proposed in |[T| and has the following form: 

RECURSION II 

{pi} Pl(xi) {qi}, {p n } Pn{x n ) {<7n} I" {p} S {q} , 

{pi A t < z) Pi(xi) {q x }, . . . ,{p n At < z} P n (x n ) {q n } h 

{pi A t = z} begin local :— x l ;S i end {qi}, i 6 {1, . . ., n} 

{p}S{q} 

where D = Pi(ui) :: Si,..., P n (u n ) :: S n , var(xi) Dvar(D) = for i G {1, . . ., n}, 
and z is an integer variable that does not occur in p i; t, qi and Si for i S {1, . . ., n} 
and is treated in the proofs as a constant, which means that in these proofs neither the 
3-introduction rule IA4I nor the substitution rule IA6 1 defined in the appendix is applied 
to z. 

To prove total correctness of recursive programs with parameters we use the proof 
system TR that is obtained by extending the proof system TD by the block rule, the 
instantiation rule, the recursion rule II, and the auxiliary rules lA2HA6l 

As before, in the case of one recursive procedure this rule can be simplified to 

{p A t < z} P(x) {q} h {p A t = z} begin local u :— x; S end {q}, 
p^t>0 

{p} P{x) {q} 

where D — P(u) :: S, var(x) n var(D) — and z is an integer variable that does not 
occur in p, t, q and S and is treated in the proof as a constant. 

4 Modularity 



Proof system TR allows us to establish total correctness of recursive programs directly. 
However, sometimes it is more convenient to decompose the proof of total correctness 



into two separate proofs, one of partial correctness and one of termination. More specif- 
ically, given a correctness formula {p} S {q}, we first establish its partial correctness, 
using proof system PR. Then, to show termination it suffices to prove the simpler cor- 
rectness formula {p} S {true} using proof system TR. 

These two different proofs can be combined into one using the following general 
proof rule for total correctness: 

DECOMPOSITION 

\~PR {p} S {<?}, 

^tr M S {true} 

M S {q} 

where h pp and hpp refer to the proofs in the proof systems PR and TR, respectively. 

The decomposition rule and other auxiliary rules like IA2I or IA3I allow us to com- 
bine two correctness formulas derived independently. In some situations it is helpful 
to reason about procedure calls in a hierarchical way, by first deriving one correctness 
formula and then using it in a proof of another correctness formula. The following mod- 
ification of the above simplified version of the recursion rule illustrates this principle, 
where we limit ourselves to a two-stage proof and one procedure: 

MODULARITY 

{p } P(x) {q } h {p } begin local u := x; S end {q }, 

{p } P{x) {g }, M P(x) {q} h {p} begin local u := x\ S end {q} 

{p} P(x) {q} 
where D = P{u) :: S and var(x) fl var(D) = 0. 

So first we derive an auxiliary property, {pg} P{x) {go} that we subsequently use 
in the proof of the 'main' property, {p} P(x) {q}. In general, more procedures may 
be used and an arbitrary 'chain' of auxiliary properties may be constructed. In the next 
section we show that such a modular approach can lead to better structured correctness 
proofs. 

5 Correctness proof of the Quicksort procedure 

We now apply the modular proof method to verify total correctness of the Quicksort al- 
gorithm, originally introduced in [10]. For a given array a of type integer — » integer 
and integers x and y this algorithm sorts the section a[x : y] consisting of all elements 
a[i] with x < i < y. Sorting is accomplished 'in situ', i.e., the elements of the initial 
(unsorted) array section are permuted to achieve the sorting property. We consider here 
the following version of Quicksort close to the one studied in Q. It consists of a re- 
cursive procedure Quicksort(m, n), where the formal parameters m, n and the local 
variables u, w are all of type integer: 



Quick sort(m,n) :: 
if m < n 

then Partition(m, n); 
begin 

local v, w := ri, le; 

Quicksort(m, v); 
Quicksort(w, n) 
end 

fl 

Quicksort calls a non-recursive procedure Partition(m, n) which partitions the array 
a suitably, using global variables ri, le,pi of type integer standing for pivot, left, and 
right elements: 

Partition(m,n) :: 
pi := a[m]; 
le, ri := m, n; 
while le < ri do 

while a[le] < pi do le := le + 1 od; 
while pi < a[ri] do ri := ri — 1 od; 
if Ze < ri then 
swap(a[Ze], a[ri]); 
Ze, ri := le + l,ri — 1 

fl 

od 

Here for two given simple or subscripted variables u and w the program swap(u, v) 
is used to swap the values of u and v. So we stipulate that the following correctness 
formula 

{x ~ u Ay — v} swap(u, »){i = dAj/ = !i} 

holds in the sense of partial and total correctness, where x and y are fresh variables. 

In the following D denotes the set of the above two procedure declarations and Sq 
the body of the procedure Quicksort(m, n). 

Formal Problem Specification 

Correctness of Quicksort amounts to proving that upon termination of the procedure 
call Quicksortim, n) the array section a[m : n] is sorted and is a permutation of the 
input section. To write the desired correctness formula we introduce some notation. The 
assertion 

sorted(a[x : y]) = Vi, j : (x < i < j < y — > a[i] < a[j]) 

states that the integer array section a[x : y] is sorted. To express the permutation prop- 
erty we use an auxiliary array a in the section ao [x : y] of which we record the initial 
values of a [a; : y\. The abbreviation 



bij(f,x,y) = f is abijectionon Z A Vz ^ [x : y] : f(i) = i 



states that / is a bijection on Z which is the identity outside the interval [x : y). Hence 

perm(a,a ,[x : y]) = 3/ : (bij(f,x,y) AVi : a[i] = a [f(i)]) 

specifies that the array section a[x : y] is a permutation of the array section ao[x : y] 
and that a and ao are the same elsewhere. 

We can now express the correctness of Quicksort by means of the following cor- 
rectness formula: 

Ql {a = ao} Quicksort(x 1 y) {perm(a, ao, [x : y]) A sorted(a[x : y})}. 

To prove correctness of Quicksort in the sense of partial correctness we proceed in 
stages and follow the methodology explained in Section|4] In other words, we establish 
some auxiliary correctness formulas first, using among others the recursion rule. Then 
we use them as premises in order to derive other correctness formulas, also using the 
recursion rule. 

Properties of Partition 

In the proofs we shall use a number of properties of the Partition procedure. This 
procedure is non-recursive, so to verify them it suffices to prove the corresponding 
properties of the procedure body using the proof systems PD and TD, a task we leave 
to Nissim Francez. 

More precisly, we assume the following properties of Partition in the sense of 
partial correctness: 

PI {true} Partition(m,n) {ri < n A to < le}, 

P2 {x 1 < to A n < y' A perm(a, ao, [x' : y'})} 
Partition(m, n) 

{x' < m A n < y' A perm{a, ao, [x' : ?/])}, 

P3 {true} 

Partition(m, n) 
{le > ri A 

(Vie [to : ri] : a[i] < pi) A 

( Vi € [ri + 1 : le - 1] : a[i] = pi) A 

(Vi 6 [le : n] : pi <a[i])}, 

and the following property in the sense of total correctness: 

P4 {to < n} 

Partition(m, n) 

{ri — m < n — m An — le < n — to}. 



Property PI states the bounds for ri and le. We remark that le < n and m < ri need not 
hold upon termination. Property P2 implies that the call Partitioning k) permutes the 
array section a [to : n] and leaves other elements of a intact, but actually is a stronger 
statement involving an interval [x 1 : y'] that includes [m : n], so that we can carry 
out the reasoning about the recursive calls of Quicksort. Finally, property P3 captures 
the main effect of the call Partitioning k): the elements of the section a[m : n] are 
rearranged into three parts, those smaller than pi (namely a[m : ri]), those equal to pi 
(namely a[ri + 1 : le — 1]), and those larger than pi (namely a[le : n]). Property P4 is 
needed in the termination proof of the Quicksort procedure: it states that the subsec- 
tions a [to : ri] and a[le : n] are strictly smaller than the section a [to : n]. 

Auxiliary proof: permutation property 

In the remainder of this section we use the following abbreviation: 

J = m = xAn = y. 

We first extend the permutation property P2 to the procedure Quicksort: 

Q2 {perm{a, ao, [x' : y']) A x' < x A y < y'} 
Quicksort(x, y) 
{perm(a,a , [x' : y'])} 

Until further notice the provability symbol h refers to the proof system PD augmented 
with the the block rule, the instantiation rule and the auxiliary rules lA214A6l 
The appropriate claim needed for the application of the recursion rule is: 

Claim 1. 

PI, P2, Q2 h {perm{a, a , [x' : y']) A x' < x < y < y'} 
begin local m,n :— x,y; Sq end 
{perm(a,a Q , [x 1 : y'})}. 

Proof. In Figure [T] a proof outline is given that uses as assumptions the correctness 
formulas PI, P2, and Q2. More specifically, the used correctness formula about the call 
of Partition is derived from PI and P2 by the conjunction rule. In turn, the correctness 
formulas about the recursive calls of Quicksort are derived from Q2 by an application 
of the instantiation rule and the invariance rule. This concludes the proof of Claim 1 . □ 

We can now derive Q2 by the recursion rule. In summary, we proved 

PI, P2 h Q2. 

Auxiliary proof: sorting property 

We can now verify that the call Quicksort(x, y) sorts the array section a[x : y], so 
Q3 {true} Quicksort(x 1 y) {sorted(a[x : y])}. 
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Fig. 1. Proof outline showing permutation property Q2. 

The appropriate claim needed for the application of the recursion rule is: 
Claim 2. 

P3, Q2, Q3 h {true} begin local m, n := x, y; Sq end {sorted(a[x : y])}. 

Proof. In Figure |2] a proof outline is given that uses as assumptions the correctness 
formulas P3, Q2, and Q3. In the following we justify the correctness formulas about 
Partition and the recursive calls of Quicksort used in this proof outline. In the post- 
condition of Partition we use the following abbreviation: 

K = v < w A 

(Vi£ [m : v] : a[i] < pi) A 

(V i E [v + 1 : w - 1] : a[i] = pi) A 

(Vi € [w : n] : pi < a[i]). 

Observe that the correctness formula 



{J} Partition(m, n) {J A K[v, w :— ri, le]} 



{true} 
begin local 
{true} 

m, n := x, y; 
{J} 

if m < n then 

{ J A m < n} 
Partition(m, n); 
{J A K[v, w := ri, le}} 
begin local 

{J A K[v, w := ri, le}} 
v, w :— ri, le; 
{J A K} 

Quicksort{m, v); 
{sorted(a[m : v]) A J A K} 
Quick sort(w, n) 

{sorted(a[m : v] A sorted(a[w : n] A J A K} 
{sorted(a[x : v] A sorted(a[w : y] A K[m, n := x, y]} 
{sorted(a[x : y])} 
end 

{sorted(a[x : y])} 

fi 

{sorted(a[x : y])} 
end 

{sorted(a[x : y])} 

Fig. 2. Proof outline showing sorting property Q3. 

is derived from P3 by the invariance rule. Next we verify the correctness formulas 

{J A K}Quicksort(m, v){sorted(a[m : v]) A J A K}, 

and 

{sorted(a[m : v]) A J A K} 
Quicksort(w, n) 

{sorted(a[m : v] A sorted(a[w : n] A J A K}. 
about the recursive calls of Quicksort. 

Proof of [Q. By applying the instantiation rule to Q3, we obtain 
Al {true} Quick sort(m,v) {sorted(a[m : v])}. 
Moreover, by the invariance axiom, we have 
A2 {J} Quicksort{m, v) {J}. 



By applying the instantiation rule to Q2, we then obtain 

{perm{a, ao, [x' : y']) A x' < m A v < y'} 
Quicksort{m, v) 
{perm(a,a , [x' :y'])}. 

Applying next the substitution rule with the substitution \x' , y' :— m, v] yields 

{perm(a, ao,[ra:«])Am<mAi)<i)} 
Quicksort(m, v) 
{perm(a, do, [m : v))}. 

So by a trivial application of the consequence rule, we obtain 

{a = ao} Quick sort{m,v) {perm(a, ao, [m : v])}. 

We then obtain by an application of the invariance rule 

{a = ao A K[a := ao]} Quicksort(m, v) {perm(a, ao, [m : v]) A K[a := ao]}. 

Note now the following implications: 

K — > 3ao : (a = ao A K[a := ao]), 
perm(a, ao, [m : v}) A K[a := ao] — > K. 

So we conclude 

A3 {K} Quicksort(m, v) {K} 

by the 3-introduction rule and the consequence rule. Combining the correctness formu- 
las A1-A3 by the conjunction rule we get ((TJ. 

Proof of In a similar way as above, we can prove the correctness formula 

{a = ag} Quicksort(w, n) {perm(a, ao, [w : n})}. 

By an application of the invariance rule we obtain 

{a = ao A sorted(ao[m : v]) A v < w} 
Quicksort(w, n) 

{perm(a,ao, [w : n]) A sorted(ao[m : v]) A v < w}. 

Note now the following implications: 

v < w A sorted(a[m : v}) — > 3ao : (a = ao A sorted(ao[m : v]) A v < w), 
(perm(a, ao, [w : n]) A sorted(ao[m : v]) A v < w) — * sorted(a[m : v]). 

So we conclude 

Bl {v < w A sorted(a[m : v})} Quicksort(w,n) {sorted(a[m : v])} 



by the 3-introduction rule and the consequence rule. Further, by applying the instantia- 
tion rule to Q3 we obtain 

B2 {true} Quicksort(w,n) {sorted(a[w : n])}. 
Next, by the invariance axiom we obtain 
B3 { J} Quicksort(w, to) { J}. 
Further, using the implications 

K — > 3ao : (a = flo A K[a := ao]), 
perm(a, ao, [w : n]) A K[a := ao] — > K, 

we can derive from Q2, in a similar manner as in the proof of A3, 

B4 {K} Quicksort(w, n) {K}. 

Combining the correctness formulas B1-B4 by the conjunction rule and observing that 
K — > v < w holds, we get (|2j. 

The final application of the consequence rule in the proof outline given in Figure [2] 
is justified by the following crucial implication: 

sorted(a[x : v]) A sorted(a[w : y\) A K[m, n := x, y] — > 
soriea'(a[a; : y]). 

Also note that J A m > n — ■> soried(a[x : y]), so the implicit else branch is properly 
taken care of. This concludes the proof of Claim 2. □ 

We can now derive Q3 by the recursion rule. In summary, we proved 

P3, Q2 h Q3. 

The proof of partial correctness of Quicksort is now immediate: it suffices to combine 
Q2 and Q3 by the conjunction rule. Then after applying the substitution rule with the 
substitution [x 1 , y' := x, y] and the consequence rule we obtain Ql, or more precisely 

PI, P2, P3 h Ql. 

Total Correctness 

To prove termination, by the decomposition rule discussed in Section |4] it suffices to 
establish 

Q4 {true} Quicksort(x, y) {true} 

in the sense of total correctness. In the proof we rely on the property P4 of Partition: 
{to < n} Partition(m, n) {ri — m < n — m An — le < n — to}. 



The provability symbol h refers below to the proof system TD augmented with the 
block rule, the instantiation rule and the the auxiliary rules lA2l4A6l For the termination 
proof of the recursive procedure call Quicksort(x, y) we use 



t = max(y — x, 0) 

as the bound function. Since t > holds, the appropriate claim needed for the applica- 
tion of the recursion rule II is: 

Claim 3. 

P4, {t < z} Quick sort{x,y) {true} h 

{t = z} begin local m, n := x, y\ Sq end {true}. 

Proof. In Figure[3]a proof outline for total correctness is given that uses as assumptions 
the correctness formulas P4 and {t < z} Quicksort(x, y) {true}. In the following we 

{t = z} 
begin local 

{max(y — x, 0) = z} 
m, n := x. y; 
{max(?i — m, 0) = z} 
if n < k then 

{max(n -m,0)=zAm<n} 
{n — m = z A m < n} 
Partition(m, n); 

{n — m = z Am < n Ari — m < n — m An — le < n — m} 
begin local 

{n — m = z A m < n Ari — m < n — m An — le < n — m} 
v, w := ri, le; 

{n — m = z Am < n Av — m < n — m An — w < n — m} 

{max(ii — to, 0) < z A max(n — w, 0) < z} 

Quicksort(m, v); 

{max(n — w, 0) < z} 

Quicksort(w, n) 

{true} 

end 

{true} 

a 

{true} 

end 

{true} 

Fig. 3. Proof outline establishing termination of the Quicksort procedure. 



justify the correctness formulas about Partition and the recursive calls of Quicksort 



used in this proof outline. Since to, n, z change(D), we deduce from P4 using the 
invariance rule the correctness formula 

{n — m — z A m < n} 

Partition(m, n) (3) 
{n — m = z Ari— m < n — m An — le < n — m}. 

Consider now the assumption 

{t < z} Quicksort(x,y) {true}. 

Since n,w, z £ change(D), the instantiation rule and the invariance rule yield 

{max(i> — to, 0) < z A max(n — w, 0) < z} 
Quicksort(m, v) 
{max(n — w, 0) < z} 

and 

{max(n — w, 0) < z} Quicksort(w, n) {true}. 

The application of the consequence rule preceding the first recursive call of Quicksort 
is justified by the following two implications: 

(n — m = z Am < n Av — m < n — to) — » max(u — to, 0) < z, 
(n — to = z A to < n A n — w < n — to) — ► max(rt — w, 0) < z. 

This completes the proof of Claim 3. □ 

Applying now the simplified version of the recursion rule II we derive Q4. In sum- 
mary, we proved 

P4 h Q4. 



6 Conclusions 



The issue of modularity has been by now well-understood in the area of program con- 
struction. It also has been addressed in the program verification. Let us just mention 
two references, an early one and a recent one: [8] focused on modular verification of 
temporal properties of concurrent programs which were modelled as a set of modules 
that interact by means of procedure calls. In turn, [ 19] considered modular verification 
of heap manipulating programs, where the focus has been on the automatic extraction 
and verification specifications. 

However, to our knowledge no approach has been proposed to deal with correct- 
ness of recursive programs in a modular fashion. When proving correctness of the 
Quicksort program we found that the simple approach here proposed allowed us to 
structure the proof better by establishing the 'permutation property' first and then using 
it in the proof of the 'sorting property'. 

So in our approach we propose modularity at the level of proofs and not at the level 
of programs. This should be of help when organizing a mechanically verified correct- 
ness proof, by expressing the proofs of the subsidiary properties as subsidiary lemmas. 



In general, modular correctness proofs of programs are proofs from assumptions about 
subprograms, which can be considered as 'black boxes' of the given programs. Zwiers 
||20l has investigated an appropriate notion of completeness for such proofs from as- 
sumptions about black boxes, called modular completeness. 

The first proof of partial correctness of Quicksort is given in [7 |. That proof es- 
tablishes the permutation and the sorting property simultaneously, in contrast to our 
approach. For dealing with recursive procedures, Q use proof rules corresponding to 
our rules for blocks, instantiation, and recursion (for the case of one recursive proce- 
dure). They also use a so-called adaptation rule of [ 1 1 1 that allows one to adapt a given 
correctness formula about a program to other pre- and postconditions. In our approach 
we use several auxiliary rules which together have the same effect as the adaptation 
rule. The expressive power of the adaptation rule has been analyzed in [14|. No proof 
rule for the termination of recursive procedures is proposed in (7), only an informal 
argument is given why Quicksort terminates. An informal proof of total correctness of 
Partition is given in lfl2l as part of the program Find given in |9j . 

The recursion rule is modelled after the so-called Scott induction rule for fixed 
points that appeared first in the unpublished manuscript Scott and De Bakker [ 18 1. Re- 
cursion rule II for total correctness is taken from America and De Boer [1 1, where also 
the completeness of a proof system similar to TR is established. The modularity rule 
corresponds to a theorem due to Bekic |5| which states that for systems of monotonic 
functions iterative fixed points coincide with simultaneous fixed points. 
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Appendix 

We list here the used axioms and proof rules that were not defined earlier in the text. 
To establish correctness of while programs we rely on the following axioms and proof 
rules. In the proofs of partial correctness the loop rule is used, while in the proofs of 
total correctness the loop II rule is used. 

AXIOM 1: SKIP 

{p} skip {p} 

AXIOM 2: ASSIGNMENT 

{p[u :=t]}u:=t {p} 
AXIOM 3: PARALLEL ASSIGNMENT 



{p[x :=t\}x :=t {p} 



RULE 4: COMPOSITION 



M gl {r},{r}S 2 {q} 
M Sv, S 2 {q} 

RULE 5: CONDITIONAL 

{p A B] Si {g}, {p A ^B} S 2 {q} 
{p} if B then Si else S 2 fl {<?} 

{p A B] S {p} 



RULE 6: LOOP 



{p} while B do 5" od {p A ^S} 



RULE 7: CONSEQUENCE 

{p}S{q} 

RULE 8: LOOP II 

{p A B} S M, 
{j»ABAi = z}S{(<z}, 
p ->t > 

{p} while B do 5 od {jj A -. 5} 

where t is an integer expression and z is an integer variable that does not appear in 

p, B, t or S. 

Additionally, we rely on the following auxiliary axioms and proof rules that occa- 
sionally refer to the assumed set of procedure declarations D. 

AXIOM Al: IN VARIANCE 

M s { P } 

where free(p) fl (change(D) U change(S)) = 0. 
RULE A2: DISJUNCTION 

{p}S{g},{r}S{q} 
{pVr}S {q} 

RULE A3: CONJUNCTION 

{Pi} S {qi},{p 2 } S {q 2 } 



{Pi Ap 2 } 5" {ft A q 2 } 



RULE A4: 3-INTRODUCTION 



{p}S{q} 
{3x : p} S {q} 

where x £ change(D) U change(S) U free(q). 
RULE A5: INVARIANCE 

{r}S{q} 
{p A r} S {p A q} 

where free(p) CI (change(D) U change(S)) = 0. 
RULE A6: SUBSTITUTION 

{p[z:=t\}S{q[z:=t\} 
where (var(z) U var(t)) n (change(D) U change(S)) = 0. 
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